From patchwork Mon Jul 20 06:15:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 21197 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 27D08447BC6 for ; Mon, 20 Jul 2020 09:16:00 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 03E7268B994; Mon, 20 Jul 2020 09:16:00 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ed1-f67.google.com (mail-ed1-f67.google.com [209.85.208.67]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 8E48E68B8B9 for ; Mon, 20 Jul 2020 09:15:53 +0300 (EEST) Received: by mail-ed1-f67.google.com with SMTP id d18so11905386edv.6 for ; Sun, 19 Jul 2020 23:15:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=czVRq/d/WDey0qx5kxUb3odzxXpBRO8UkjpdrGnRXNw=; b=Ia1ehJ8QTSC9HUs1/CfVmz9M1rQtO8ym3vUpQvbSoXPX8hTw5b1PaYWJqV3EL4LRws pJqcTy8tEJ5tYQzKzm8MQ/VTFVfWh41545SiCqAdqzCZIv4AjgDq3BpBtSRAErrs4pt0 ID3ZmbAHMPzph2pAlGrGSC6MXoqY5x4y/8m3uH2yAOY7+Q33uflB9Cc/YAY+a9jwpwYz 5GD/xsT9swyvdy2i3twuauyGiMZIerVv8H7xtXD7xhE7eywpx+iIywQuUyfW4S5HxBB6 WBu07eMmQbhY1AUrcH8x1WPd6Uqv4an1/sHFwfIa+DqZunlNlX2lM9fy6wQiIu2lTAob Q6QA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=czVRq/d/WDey0qx5kxUb3odzxXpBRO8UkjpdrGnRXNw=; b=TFi8Kt76gwnMfZZ+G456uNlZSUEO6yPBaadMbfZjrQ/F3rcpZmVSCve1jxdpwxrIM4 rp1rKJV1irgm+0F+U6JcMrzdjJ3QUh6JGgAE6FHP9hDkEozw5e0Lv6+KYNDPTEZn+hYD fCJlrQnnQELsW8fcsxVLKpgjZ/i+baHdr0qmq/yE7LNz2k5xd/26JKgYiKajfmUULGUm b6cXS6+nQI9yJW+cw0d1cUucwOLqoGsipKzIrjMI5DaoUd5e36rxf+HghPNx76FFywMU ilUxa1goLFNaVlv7tfI53dsCeizJtUO14wjoYuMGXzPLyfSD/Qtx6yGZtWxLOZsgtHQo RdQQ== X-Gm-Message-State: AOAM533tisChKcq1JYciXQVtt+w/3aYNjrDkpbGfadPMeh7VxEbB8nSm XjwSxm9Vk/YFeSrCnmk3HtlLzM6R X-Google-Smtp-Source: ABdhPJygizbjiaKN9RedmPwJRw0i7PevccUee0EJtKpg7yN8dnYoT2KTfRKlpoJh8vy2I8M8fJLEkQ== X-Received: by 2002:aa7:d88e:: with SMTP id u14mr20314847edq.11.1595225752655; Sun, 19 Jul 2020 23:15:52 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc10296.dynamic.kabel-deutschland.de. [188.193.2.150]) by smtp.gmail.com with ESMTPSA id y21sm14044773ejo.4.2020.07.19.23.15.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Jul 2020 23:15:51 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Mon, 20 Jul 2020 08:15:43 +0200 Message-Id: <20200720061545.18854-1-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 1/3] avformat/mxfdec: Fix memleak when adding element to array fails X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Said array contains pointers to other structs and both the designated new element as well as other stuff contained in it (e.g. strings) leak if the new element can't be added to the array. Signed-off-by: Andreas Rheinhardt --- libavformat/mxfdec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 90546d42b3..08ad92cc0c 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -822,15 +822,17 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size return 0; } -static int mxf_add_metadata_set(MXFContext *mxf, void *metadata_set) +static int mxf_add_metadata_set(MXFContext *mxf, MXFMetadataSet **metadata_set) { MXFMetadataSet **tmp; tmp = av_realloc_array(mxf->metadata_sets, mxf->metadata_sets_count + 1, sizeof(*mxf->metadata_sets)); - if (!tmp) + if (!tmp) { + mxf_free_metadataset(metadata_set, 1); return AVERROR(ENOMEM); + } mxf->metadata_sets = tmp; - mxf->metadata_sets[mxf->metadata_sets_count] = metadata_set; + mxf->metadata_sets[mxf->metadata_sets_count] = *metadata_set; mxf->metadata_sets_count++; return 0; } @@ -2780,7 +2782,7 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF avio_seek(pb, next, SEEK_SET); } if (ctx_size) ctx->type = type; - return ctx_size ? mxf_add_metadata_set(mxf, ctx) : 0; + return ctx_size ? mxf_add_metadata_set(mxf, &ctx) : 0; } /** @@ -3083,10 +3085,8 @@ static int mxf_handle_missing_index_segment(MXFContext *mxf, AVStream *st) if (!(segment = av_mallocz(sizeof(*segment)))) return AVERROR(ENOMEM); - if ((ret = mxf_add_metadata_set(mxf, segment))) { - mxf_free_metadataset((MXFMetadataSet**)&segment, 1); + if ((ret = mxf_add_metadata_set(mxf, (MXFMetadataSet**)&segment))) return ret; - } /* Make sure we have nonzero unique index_sid, body_sid will be ok, because * using the same SID for index is forbidden in MXF. */ From patchwork Mon Jul 20 06:15:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 21198 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 25EEE447C4E for ; Mon, 20 Jul 2020 09:16:16 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0DFF968B9D6; Mon, 20 Jul 2020 09:16:16 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ed1-f65.google.com (mail-ed1-f65.google.com [209.85.208.65]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 8766868B9D4 for ; Mon, 20 Jul 2020 09:16:09 +0300 (EEST) Received: by mail-ed1-f65.google.com with SMTP id d16so11879971edz.12 for ; Sun, 19 Jul 2020 23:16:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=9stKbd4qkPuKTSkrnlmu9o0NJz28SHNCr9oRas2wgmI=; b=p9UE0GVRhKIJu7ioUs/Ts6odDhf3D76oPC90pZu3onvuVRPsvZZvM456j2ksiJKy5p klmXQMOjj83uzy/qu5V3BWWPBMBGtowgdkJI0OTFJI/vv9yd01JmQZUy1FuCF0nCLtjs cxHslfOezZB8LU+bpG3ZknmBJ6Ue6692a/6/pmK/BVAsFEJkM2vNB31YLP3Qvasiubep UcM171g2plK6dn6qvyCLXNqPBko5ZrBXh/rGdJMSz8XmR3JTXlxt6tXY8renDEQQnb0D EtgHN22UDSNcHxIuvGpMtJ3nL/X0pz1JFSggKZQXpNH0yZroUiXMJ6XdBab1k/6x5Bie 1daw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9stKbd4qkPuKTSkrnlmu9o0NJz28SHNCr9oRas2wgmI=; b=bFyS6KWE0d1f7bsNBsxJOrNLBbmqHyrAD5kqFsK3sLxvZgDkhBHz2RwDwq6vVUU9jV YOohMl/xSygE0jAdKLuPVD7BVWfNwWn0HmmtJwQmN0GG8uDzLz8FEXyK+7KUMv4p0t+Y WAd0nWS92l9UtIaRsC+4IbLmMKo3VnHLiQHz7+IUNIERXrn9rO8oY8RDwJdmUftPwPT3 fR0G+7d3xVTvlrmzR/Sdn82n0yfjkTp7a1p09Bo8PdPbcmAE8Hgkoqo/6kTpHXoD0XPb lb2RjMmWYPa1GCiRtcP/Mw31dxhFLz5d28QGHTNWhXdZgiL7CxZ0Hzp7bOLb6LGpOeue pJeQ== X-Gm-Message-State: AOAM530Pr/F8PkLVr4urAI/UKkhVSyz4MqB5+TLh92CnZI1n+L8r/g2X WgwxcPKQ6DMvtBJSazu74zDOVQjy X-Google-Smtp-Source: ABdhPJyKLSR0wpXAVtKBrjCHiKJqHpm2A/FU0+pNzVVUicQlyipKWwOaElxzrdfJNh7z67bpKoEP0w== X-Received: by 2002:a05:6402:3049:: with SMTP id bu9mr20660544edb.232.1595225768576; Sun, 19 Jul 2020 23:16:08 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc10296.dynamic.kabel-deutschland.de. [188.193.2.150]) by smtp.gmail.com with ESMTPSA id y21sm14044773ejo.4.2020.07.19.23.16.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Jul 2020 23:16:08 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Mon, 20 Jul 2020 08:15:44 +0200 Message-Id: <20200720061545.18854-2-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200720061545.18854-1-andreas.rheinhardt@gmail.com> References: <20200720061545.18854-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 2/3] avformat/mxfdec: Fix memleak when parsing tag fails X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The MXF demuxer uses an array of pointers to different structures of metadata (all containing a common initial sequence containing a type field to distinguish them) and some of these structures contain pointers to separately allocated subelements. If an error happens while reading and creating the tags, the semi-finished new tag is freed using the function to free these tags. But this function doesn't free the already allocated subelements, because the type has not been set yet. This commit changes this. Signed-off-by: Andreas Rheinhardt --- libavformat/mxfdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 08ad92cc0c..3016885e75 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2714,6 +2714,7 @@ static const MXFMetadataReadTableEntry mxf_metadata_read_table[] = { static int mxf_metadataset_init(MXFMetadataSet *ctx, enum MXFMetadataSetType type) { + ctx->type = type; switch (type){ case MultipleDescriptor: case Descriptor: @@ -2734,7 +2735,8 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF if (!ctx) return AVERROR(ENOMEM); - mxf_metadataset_init(ctx, type); + if (ctx_size) + mxf_metadataset_init(ctx, type); while (avio_tell(pb) + 4 < klv_end && !avio_feof(pb)) { int ret; int tag = avio_rb16(pb); @@ -2770,7 +2772,6 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF * it extending past the end of the KLV though (zzuf5.mxf). */ if (avio_tell(pb) > klv_end) { if (ctx_size) { - ctx->type = type; mxf_free_metadataset(&ctx, 1); } @@ -2781,7 +2782,6 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF } else if (avio_tell(pb) <= next) /* only seek forward, else this can loop for a long time */ avio_seek(pb, next, SEEK_SET); } - if (ctx_size) ctx->type = type; return ctx_size ? mxf_add_metadata_set(mxf, &ctx) : 0; } From patchwork Mon Jul 20 06:15:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 21199 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 58A3C447C4E for ; Mon, 20 Jul 2020 09:16:17 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 38F6B68B9E8; Mon, 20 Jul 2020 09:16:17 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ed1-f67.google.com (mail-ed1-f67.google.com [209.85.208.67]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6928568B9D5 for ; Mon, 20 Jul 2020 09:16:10 +0300 (EEST) Received: by mail-ed1-f67.google.com with SMTP id b15so11923184edy.7 for ; Sun, 19 Jul 2020 23:16:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=9psSG8yPzE2qIj7gC+dzo0yv6eKFNN/nWcXdnsm73Rg=; b=tX2EruV0+FbCF6nPshEFjPBEn4UMZ9Ox0IPR8cXiOYOAiItXZ7KAxzt8nO3q37r0ZE WFywt/DuQkyQxtNCBs9qEQxLN/tpDjxnZTgFv5lx1kfpncdyV2vxJ8HKx27IPNSDQbE1 Z98kxEjqZcSJ/m5eYsqRvQnqsV5nku6tgd+BfZHZt6lq2EXw65dgGo+Hry2Dt5gFWPul Jp8zaGmNIIzMjCeL8OilIUt5M07hV3ADcPnwwUSJ788yc+llgt1TGC+cjPuGkNeO+6FD YabcNxvnMAn+OHyi3BHCKYuoAIFUP1fMzkcT6iFNiF92SwB/BVT1uv8wQmsubvZBbSnw Q8eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9psSG8yPzE2qIj7gC+dzo0yv6eKFNN/nWcXdnsm73Rg=; b=KaLnP+2aLaF4DeM7k+WiWcBrZUqQ0qbEp4+7Bgc//3A59t+nX8bK8V7UZA1Tyskz4s eXXegz4EJnxh6lzfw9zvvo9v4/N1R0wIjiFob+S5jKxj/JVgbieRdEBK1LXjgFJWquA2 XU893c7bnGopmvZlHK0dZC6mYGw2NkiB8hjhe3Qz4Jo29kIlpk2NuHWHIytjXND+hK7N 7uE+8Aq25QNVcxHJCtqY0ZKOvLJxAjk/iAj/olQaWWrhP5K5m+reKl+tTG/kaQI2EV2T nhoCiBkE6jDydT9HqrQ+amfsIdxRceEKU/+vw5wsAJUQjVb4ZnmOYHpdjKXev1Fmh6/q 1Kow== X-Gm-Message-State: AOAM531qUfS5gJkCqcp4S0+gsYB3+s2iG2+hPZQStIyP8hTG2IvQvy7l f6uNtky57cEAjwBkmDGDb6ZItNN+ X-Google-Smtp-Source: ABdhPJzK/v4A3vx/Dr/f5gGgo5JttP24OmZS80tj/lAzq+x69aUVTmACpAQcwyIgJcgx9LuFv31vVQ== X-Received: by 2002:a50:c88d:: with SMTP id d13mr20479119edh.104.1595225769588; Sun, 19 Jul 2020 23:16:09 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc10296.dynamic.kabel-deutschland.de. [188.193.2.150]) by smtp.gmail.com with ESMTPSA id y21sm14044773ejo.4.2020.07.19.23.16.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Jul 2020 23:16:08 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Mon, 20 Jul 2020 08:15:45 +0200 Message-Id: <20200720061545.18854-3-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200720061545.18854-1-andreas.rheinhardt@gmail.com> References: <20200720061545.18854-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 3/3] avformat/mxfdec: Fix memleak upon repeating tags X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" When parsing MXF encountering some tags leads to allocations. And when these tags were encountered repeatedly, this could lead to memleaks, because the pointer to the old data got simply overwritten with a pointer to the new data (or to NULL on allocation failure). This has been fixed. Signed-off-by: Andreas Rheinhardt --- libavformat/mxfdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 3016885e75..f0975f409e 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -850,6 +850,7 @@ static int mxf_read_cryptographic_context(void *arg, AVIOContext *pb, int tag, i static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) { *count = avio_rb32(pb); + av_free(*refs); *refs = av_calloc(*count, sizeof(UID)); if (!*refs) { *count = 0; @@ -903,10 +904,8 @@ static int mxf_read_content_storage(void *arg, AVIOContext *pb, int tag, int siz case 0x1901: if (mxf->packages_refs) av_log(mxf->fc, AV_LOG_VERBOSE, "Multiple packages_refs\n"); - av_free(mxf->packages_refs); return mxf_read_strong_ref_array(pb, &mxf->packages_refs, &mxf->packages_count); case 0x1902: - av_free(mxf->essence_container_data_refs); return mxf_read_strong_ref_array(pb, &mxf->essence_container_data_refs, &mxf->essence_container_data_count); } return 0;